|
1 General Information in CISA Study and Examination
1.1 Correct Mindsets
1.2 CISA Examination
1.3 Topics Weighting
2 The Process of Auditing Information Systems
2.1 Roles involved in the IS Audit
2.2 Purpose of an Audit
2.3 Independence – Keeping fair and objective (客觀)
2.4 Types of Audits
2.5 Ten Audit Stages
2.6 Audit Charter
2.7 Preplan the Audit
2.8 Audit, Assessment and Control Self-Assessment (CSA)
2.9 Risk Management Concepts
2.10 Role of Management
2.11 Human Resource Management
2.12 Communication between Auditors and Auditee
2.13 Data Collection Methodologies
2.14 Internal Controls
2.15 Audit Evidence
2.16 Evidence Lifecycle
2.17 Audit Sampling
2.18 Audit Testing for assurance
2.19 Tolerable Error Rate
2.20 Responding to Irregular or Illegal Activities
2.21 Audit information beyond the audit scope
2.22 Report the Audit Findings
2.23 ISACA Audit Standards
2.24 ISACA Audit Guidelines
2.25 ISACA Audit Procedures
2.26 Conclusion of IS Audit Process Develop and implement a risk-based audit strategy.
3 Governance and Management of IT
3.1 Introduction of IT Governance
3.2 IT Strategy Committee
3.3 The IT Steering Committee
3.4 The Balanced Scorecard
3.5 The Standard IT Balanced Scorecard
3.6 Roles and Responsibility of different parties
3.7 Capability Maturity Model (CMM)
3.8 Data Flow Diagram (DFD)
3.9 Policy, Standard, Guideline and Procedure
3.10 Introduction of the Risk Management Program
3.11 Risk Management Process
3.12 Risk Handing (Treatment)
3.13 Residual Risk
3.14 IT Management Practices
3.15 Personnel Management
3.16 Outsourcing
3.17 Outsourcing Governance
3.18 SaaS (Software-as-a-Service)
3.19 Audit IT Governance
4 Information Systems Acquisition, Development and Implementation
4.1 Business Realization
4.2 Business Case
4.3 Measuring Business Benefits
4.4 Project Roles and Responsibility
4.5 Project Planning
4.6 The Software Development Life Cycle (SDLC)
4.7 Software Development Risks
4.8 SDLC Phase
4.9 SDLC - Feasibility study
4.10 Requirement Definition
4.11 Business Functional Requirements
4.12 Technical Requirements
4.13 Security and Regulatory Requirements
4.14 Disaster Recovery and Business Continuity Requirements
4.15 The RFP (Request For Proposal) Process
4.16 SDLC - Design
4.17 SDLC – Development
4.18 Programming Languages
4.19 Application Debug
4.20 Threat to input control - SQL injection
4.21 Source Code Management
4.22 UAT and QAT
4.23 SDLC – Implementation
4.24 SDLC Maintenance
4.25 Other application development techniques
4.26 OO (Object-Oriented) Concepts
4.27 Application Controls
4.28 Change Management
4.29 Configuration Management
4.30 Business Process
4.31 Audit in PM and SDLC
5 Information Systems Operations, Maintenance and Support
5.1 IT help desk
5.2 Incident Management
5.3 Problem Management
5.4 Change Management
5.5 Release Management
5.6 Gate Process
5.7 Application Library Management
5.8 Quality Assurance
5.9 System Hardware
5.10 System Hardware Monitoring
5.11 Database Management Systems
5.12 Introduction of Relational DBMS Concepts
5.13 Database Transaction and ACID Controls
5.14 Database View
5.15 Network Infrastructure
5.16 OSI Reference Model
5.17 Class A / Class B / Class C of IPv4 addresses
5.18 IPv6 Address
5.19 Address Resolution Protocol (ARP)
5.20 DNS (Domain Name System)
5.21 DHCP
5.22 IPSec VPN
5.23 Business Continuity and Disaster Recovery
5.24 Types of Disasters
5.25 Relationship between Disaster / Business Disruption and organization
5.26 BCP (Business Continuity Plan) Phase
5.27 BCP Project Initiation
5.28 BIA (Business Impact Analysis)
5.29 RTO and RPO
5.30 Develop Continuity / Recovery Strategy
5.31 Develop Strategy - Business Process Recovery
5.32 Develop Strategy – Facility and Supply Recovery
5.33 Develop Strategy – Supply and Technology Recovery
5.34 Develop Strategy – User Recovery
5.35 Develop Strategy – Data Recovery
5.36 Recovery Technologies
5.37 BCP Development
5.38 BCP Testing
5.39 Introduction of Virtualization
5.40 Components in Virtualization
5.41 Risks in Virtualization
5.42 Best Practices in managing virtualized environment
5.43 Audit the virtualization
5.44 Introduction of Social Networking
5.45 Risks in social networking
5.46 Mitigating risks in social networking
5.47 Auditing IS Infrastructure and Operations
5.48 Auditing File Systems
5.49 Auditing DBMS (Database Management System)
6 Protection of Information Assets
6.1 Different kinds of attacks
6.2 Passive Attacks
6.3 Active Attacks
6.4 Information Classification
6.5 Data Authority Roles
6.6 Data Retention Concept
6.7 Administrative Protection – Policy
6.8 Administrative Protection – Personal Management
6.9 Administrative Protection – Terminating Access
6.10 Administrative Protection – Incident Handing
6.11 Physical Protection - Access Path
6.12 Physical Protection – Environmental Control (Electricity)
6.13 Physical Protection – Environmental Control (HVAC)
6.14 Physical Protection – Environmental Control (Fire)
6.15 Physical Protection – Disposal Procedures
6.16 Technical Protection – MAC
6.17 Technical Protection - DAC
6.18 Technical Protection RBAC
6.19 Technical Protection - Constrained User Interface
6.20 Technical Protection - Authentication
6.21 Technical Protection - Biometric
6.22 Technical Protection – Kerbero
6.23 Technical Protection – Firewall
6.24 Technical Protection – Firewall Architecture
6.25 Technical Protection – Wireless Architecture and Security
6.26 PKI (Public Key infrastructure)
6.27 PKI: Encryption
6.28 PKI: Digital Certificate
6.29 Technical Protection – Diffie Hellman
6.30 Technical Protection – Email Security
6.31 Introduction of Voice Infrastructure
6.32 Risks in the voice infrastructure
6.33 Mitigating Risks in the voice infrastructure
|
